Find content
Not Telling
I have been infected with malware and I hope you can help. I should start out by noting this is the first time I have used a forum, and also I am not familiar with much of the nomenclature I have seen in other forum entries. I hope you will excuse my inexperience.
I do not know the identify of the malware. There are two symptoms that I notice. One is a message from the Malwarebytes program. The second occurs when browsing with Internet Explorer.
1) The message from the Malwarebytes program is "Malwarebytes' Anti-Malware – Successfully blocked access to a potentially malicious website". One of several IP addresses is listed, among them: 213.163.89.104, 61.61.20.135, and 88.85.93.34.
2) When browsing with Internet Explorer, the malware opens a new window and goes to one of several websites. Among the websites are: http://lpgen.info, http://officialsurveygroup.com, http://www.togetthefacts.com, http://r.localpages.com, http://113594url.cptgt.com, http://www.directrdr.com, and http://playsushi.com.
I have the following security software installed:
- Malwarebytes 1.46
- Norton Security Suite Version 4.2.0.12
- Ad-Aware Version 8.3.0
In the past, scans by these programs have detected and removed viruses and malware, including Trojan.Zefarch, Trojan.Win32.Generic!BT, Win32.Adware.Agent, and Trojan.SpyeEye. As directed by the "I'm infected – What do I do now?" forum, I have updated the software, run scans, attached log files from Norton and Ad-Aware, and posted the Malwarebytes log below. The latest scans did not detect any malware, but the symptoms persist.
As also directed by the "I'm infected" forum, I have downloaded and run DeFogger, DDS, and GMER Rootkit Scanner programs. The contents of the DDS.txt file are shown below. I have zipped the attach.txt file from DDS and the ark.txt file from GMER. These zipped files are also attached.
I appreciate any help you can provide. Please let me know if you need any more information.
isao
__________________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4383
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/3/2010 4:02:56 AM
mbam-log-2010-08-03 (04-02-56).txt
Scan type: Full scan (C:\|)
Objects scanned: 275258
Time elapsed: 1 hour(s), 59 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
_____________________
DDS (Ver_10-03-17.01) - NTFSx86
Run by Home at 10:30:29.05 on Tue 08/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1398 [GMT -7:00]
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\Home Docking Station\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ixquick.com/eng/?&cat=web&query=&r=676506
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
BHO: Internet Explorer Plugin: {9fe088dc-c3b2-479c-a314-08f90ce5166f} - vecrits93.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [<NO NAME>]
mRun: [Iomega ImIconXP] c:\program files\iomega\rev system software\imiconxp.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\windows\explorer.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://kdadcexch001/connectcomputer/nshelp.dll
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.8564467593
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
============= SERVICES / DRIVERS ===============
R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2004-7-13 16006]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-2 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-8-1 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-8-1 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-9 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-8-1 501888]
R1 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\drivers\dk2drv.sys [2008-2-24 49592]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-8-1 116784]
R2 HPFECP06;HPFECP06;c:\windows\system32\drivers\hpfecp06.sys [2004-5-25 38176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-25 304464]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-8-1 126392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-1 102448]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-6 59328]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100802.001\IDSXpx86.sys [2010-8-2 331640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-25 20952]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100802.041\NAVENG.SYS [2010-8-3 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100802.041\NAVEX15.SYS [2010-8-3 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]
S3 DK2USB;DK2usb Driver;c:\windows\system32\drivers\DK2USB.sys [2008-2-24 18232]
=============== Created Last 30 ================
2010-08-03 17:23:29 0 ----a-w- c:\documents and settings\home docking station\defogger_reenable
2010-08-02 22:45:36 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-02 21:28:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-02 20:50:43 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-02 20:50:05 0 d-----w- c:\program files\Lavasoft
2010-08-01 20:52:38 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-01 20:52:38 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-08-01 20:52:02 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-01 20:52:02 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-01 20:52:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-01 20:52:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-01 20:50:38 0 d-----w- c:\windows\system32\drivers\N360
2010-08-01 20:50:32 0 d-----w- c:\program files\Norton Security Suite
2010-08-01 20:49:44 0 d-----w- c:\program files\NortonInstaller
2010-08-01 20:49:44 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-08-01 20:48:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-07-29 23:07:53 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-26 21:38:11 42980 ----a-w- c:\windows\system32\oiffl
2010-07-26 21:38:11 105472 ----a-w- c:\windows\system32\klgd.bmp
2010-07-26 18:18:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-16 05:16:46 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
==================== Find3M ====================
2010-05-10 15:24:21 78765 ----a-w- c:\windows\system32\nvModes.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2009-01-08 18:32:46 52402132 ----a-w- c:\program files\TraffixW Back-up Before Installing Ver 8_0.zip
============= FINISH: 10:33:06.77 ===============
